Why most providers fail Reg 17, and how to evidence good governance

I spent thirteen years inspecting against Reg 17, and the conversation I had with registered managers about it was almost always the same. I would arrive, introduce myself, ask to see the last six months of governance meeting minutes. They would hand me a folder, sometimes a binder, occasionally a USB stick with the air of a person handing over a passport. And in the next forty-five minutes, sitting in their office or a side room with a cup of tea, I would already know roughly how the inspection was going to land.

Not because I had read every word. Because the meeting minutes told me whether the system was actually running. And once you know that, the rest of the inspection is mostly the inspector confirming what they already suspect.

Reg 17 of the 2014 Regulated Activities Regulations is short. The headline duty is that providers must establish and operate effective systems to ensure compliance with the requirements in Part 3 of the regulations. In plain English: Reg 17 is the regulation that requires the system that runs the rest of the regulations. It is the well-led regulation.

Reg 17(2) lists six things those systems must enable in particular. Assess and improve the quality and safety of the service. Assess and mitigate risks. Maintain an accurate and contemporaneous record for each service user. Maintain accurate records of employment and management. Seek and act on feedback. Continually evaluate the processes themselves. There is also Reg 17(3), which gives CQC the power to ask for a written report on quality, safety, risks, and improvement plans on 28 days' notice. Most providers will never receive a 17(3) request. The ones who do are usually those whose ratings or reports already suggest the governance system is not visible.

The trap is reading Reg 17 as a documentation requirement. It is a behaviour requirement evidenced by documentation. There is a difference, and inspectors can usually tell which one is happening from the records themselves.

The clinical governance meeting minutes, the board minutes for those services that have a board, the multidisciplinary team meeting minutes where the service has those, were the single most diagnostic piece of evidence I read across thirteen years. More than the risk register, more than the policies on the shelf, more than the training matrix.

The reason is structural. The minutes are the place where the leadership team's thinking becomes visible. The risk register is what someone wrote on a workshop day. The policies are what someone signed off on at induction. The minutes are the trail of what the leadership team actually noticed, what they decided, and whether they followed through. If the minutes tell a coherent story across six months, the governance system is operating. If they do not, something else is going on.

What I was reading for, specifically. Did the same standing items keep appearing on the agenda? Were the right people in the room? When a decision was taken, was the action recorded with a named owner and a date? At the next meeting, did anyone ask whether the action had been completed? When something unusual was flagged, was it followed up at the next meeting or did it quietly disappear? Did the minutes ever say anything was difficult, or was every paragraph confident?

The last one is more telling than people expect. A year of meeting minutes that record no difficult-to-resolve issue, no disagreement, no half-finished decision, is the wrong shape. Real governance is messy because real services have problems and the leadership team is supposed to be wrestling with them. Minutes that present the service as smooth all the way through usually mean the difficult conversations are happening elsewhere, and the inspector cannot see them.

Across thirteen years and several hundred inspections, the patterns that produced Reg 17 findings came back again and again. The five I saw most often.

The cadence has slipped. The policy says clinical governance meets monthly. The minutes file shows it actually met four times in the last twelve months. The provider tells me, quite reasonably, that clinical work kept getting in the way. I understand. I also note that the Reg 17 duty is to operate an effective system, and a system that meets a third of the time it is supposed to meet is not effective. This is the single most common Reg 17 finding, and the most recoverable. Putting the meetings back in the diary fixes it; what produces the finding is the audit trail showing the gap.

The minutes do not record decisions. The agenda was followed. The discussion happened. What is in the minutes is a paragraph of the discussion and then the next agenda item. What is not in the minutes is what the meeting decided. If I cannot tell from the minutes what the meeting concluded, then the next month's meeting cannot tell either, and the system has no memory. Inspectors read for “the committee agreed to”, “X was actioned to”, “Y will report back by”. Absence of those phrases is the finding.

Decisions never become actions.The minutes record a decision. The minutes do not show a corresponding entry in the improvement-actions register. Six months later, nothing has happened. The decision was a wish, not an action. This is the governance equivalent of a New Year's resolution. The Reg 17 system requires the loop to close: meeting takes a decision, action gets opened, action gets completed with evidence, next meeting confirms completion.

Standing items quietly leave the agenda. The clinical governance committee had complaints as a standing item for a year. It went quiet for two meetings because no new complaints had come in. Then it left the agenda entirely. The team tells the inspector this was a deliberate removal because nothing was happening. The inspector reads it as the team stopping looking. Almost every service that drops a standing item from its agenda because nothing seems to be happening is wrong about nothing happening. The thing that is happening, they stopped surfacing.

The risk register is dated eighteen months ago. Every entry was scored on the original workshop day. The review-cadence column says quarterly. The last-reviewed date column is empty or stale. The register contains what the team thought about risk eighteen months ago, not what they think about it now. A register that has not moved is not a risk register; it is a piece of paper that mentions risks. Reg 17(2) requires the system to assess and mitigate risks, present tense.

I am being precise about the failure modes because they are diagnostic, not because the picture is negative. Services that ranked Good or Outstanding on well-led had the same governance system shapes as everyone else. They just operated them.

What I saw in the well-run services. The meeting happened when the diary said it would, even when the clinical week was busy, because the team had decided the meeting was where the difficult work got done. The minutes named decisions in three or four words apiece. The improvement-actions register at the next meeting was read against the previous meeting's decisions, item by item. The risk register had quarterly review dates that were within the cadence. When something genuinely tricky surfaced (a complaint pattern across three months, a clinical incident where the team was not sure whether the response had been adequate, a piece of equipment that the manufacturer had quietly reclassified), the minutes recorded the discussion as difficult. The team would sometimes ask me how I would have handled it, and I would say honestly that I had no idea, and we would both sit with that for a moment.

The well-run services were not better at having clean problems. They were better at having visible ones. The Reg 17 evidence trail was a record of the leadership team paying attention.

When I sat down with the last six months of governance minutes, my reading order was specific. I would start with the most recent meeting and work backwards. The first thing I checked was whether the previous meeting's actions had been reviewed at the current meeting. If yes, that was the first confirmation that the loop was closing. If no, I knew before I had read a single decision that the system was probably not running.

Then I looked at the agenda shape across the six months. Were the standing items consistent? When something changed (a new agenda item appeared, a standing item left), was the reason visible? Could I see the inflection point where the team had decided to start watching something new?

Then I looked at the people present. Was the registered manager actually in the meeting? Was the named medical advisor or clinical lead there? Repeated apologies from a key role meant the meeting was operating without the person it needed in the room. That itself is a finding.

Then, only then, I would read individual decisions. By that point I already had a working theory of how the inspection was going to go.

The reason I built Verivius the way I did, with the governance meeting register sitting alongside the risk register and the improvement-actions register and every lifecycle that feeds them, is that the chain I was looking for as an inspector should not require the team to assemble it under pressure. It should already be assembled because the team has been working in the open all year.

The minutes name the decisions because the field is structured that way. The actions appear in the improvement-actions register because the meeting opens them directly from the minute. The next meeting's agenda automatically surfaces the previous meeting's open actions. The risk register has the next-review date on the dashboard so overdue reviews are visible before the cadence slips. None of this is novel. It is what running the governance system openly looks like, and the platform is the operational shape of that.

If you are reading this as a registered manager who has just realised your last six months of minutes would not survive my arrival, you are not alone. Most of the providers I inspected got there in the end. The fastest way back is to put one good meeting in the diary, run it with decisions recorded as decisions, open the actions in the register the same week, and at the next meeting read them back. Three cycles of that and the trail starts to look like a governance system again.

On the meeting cadence question specifically: the governance meeting cadence that actually works. On the well-led question from the broader inspector-perspective angle: why providers fail Well-led. The Reg 17 sample policy template, ready to adapt: Reg 17 Good governance. The plain-English regulation explainer: /regulations/reg-17-good-governance.